[ietf78-tech] inbound filtering optimization?
John Kemp
kemp at network-services.uoregon.edu
Mon Jul 5 11:45:09 PDT 2010
Just to be clear on this, it's really just an optimization
so we don't have to do connection tracking on the inbound
direction. So we get matches for the inbound traffic
with 100% efficiency.
This also simplifies the rules, and will make the
box run much faster. And clients are
not exposed (i.e. pushing traffic from inside to outside)
until they are authenticated...
And we allow incoming connects, which I think is an
obvious benefit as well.
I suggest we run this way.
/jgk
On 07/05/2010 10:52 AM, John Kemp wrote:
>
> The default setup for Captivator does connection tracking
> for in -> out traffic, but doesn't allow new connections to
> be established out -> in.
>
> My own preference would be to put a default allow for inbound.
> If that is OK with everybody, I'd like to do that. Will make
> stuff work for people that need to go that direction, and I don't
> see a good reason to filter that direction. Yes/no?
>
> The outbound traffic would still get the optimization from
> the connection tracking, and would still be subject to the
> redirection if not authenticated.
>
> ?
> /jgk
>
> _______________________________________________
> ietf78-tech mailing list
> ietf78-tech at daedelus.com
> http://www.daedelus.com/mailman/listinfo/ietf78-tech
More information about the ietf78-tech
mailing list